The introduction of the electronic voting machines in India at the turn of the century had aided in reducing instances of capturing of polling stations and stuffing of ballot boxes by mobs hired by political parties. Using data from state elections, researchers Sisir Debnath, Mudit Kapoor and Shamika Ravi studied the impact of the voting machines in a 2017 research paper. They found that the machines had significantly reduced electoral fraud, helped the poor and the weak to come out and vote, and made elections more competitive.
However, from time to time, doubts have been raised about the machines. Parties, usually on the losing side, have often cavalierly alleged that the machines can be hacked into and ballots rigged. India’s election authorities rejected claims by a US-based technologist who said the machines were hacked during the 2014 general elections in which Narendra Modi’s right-wing BJP party swept to power.
In the US, where voting machines were introduced some 15 years ago – there is now about 35,000 of them in use – there have been concerns over machines with no back-up paper trail misreading the vote. Eight years ago, University of Michigan scientists connected a home-made device to a machine and were able to change results by sending text messages from a mobile phone. Indian authorities rubbished the claim, saying that even getting hold of machines to tamper with would very difficult. The authorities insist that the machines and their records are not accessible to anyone outside this group.
For years security professionals and election integrity activists have been pushing voting machine vendors to build more secure and verifiable election systems, so voters and candidates can be assured election outcomes haven’t been manipulated. Now they might finally get this thanks to a new $10 million contract the Defense Department’s Defense Advanced Research Projects Agency (DARPA) has launched to design and build a secure voting system that it hopes will be impervious to hacking. The first-of-its-kind system will be designed by an Oregon-based firm called Galois, a longtime government contractor with experience in designing secure and verifiable systems.
DARPA had announced earlier that Galois will be developing a voting system as the demonstration vehicle for this secure system, built with fully open source hardware and software. While the voting system is not intended for production, it serves as an important demonstration of how DARPA technology can be used for a critical infrastructure system.
The voting system will be publicly “red teamed” in the voting village at DEF CON 2019 and DEF CON 2020 so attendees can examine it and conduct penetration tests to gauge its security. The demonstration will include both an end-to-end verifiable and a traditional non-verifiable voting system.
In 2019 there will be a smart ballot box on SSITH hardware, while the 2020 event will feature all components on SSITH hardware, including both the ballot marking device and optical scan systems. A scaled down, low cost version of the system will be made available via Crowd Supply so anyone can buy it, experiment with it and use it to run even informal elections such as for school clubs or sports teams.
They’ll also be working with a number of university teams over the next year to have them examine the systems in formal test environments. “Def Con is great, but [hackers there] will not give us as much technical details as we want [about problems they find in the systems],” Linton Salmon, program manager in DARPA’s Microsystems Technology Office who is overseeing the project, said in a phone call. “Universities will give us more information. But we won’t have as many people or as high visibility when we do it with universities.”
Further, the topic of election system security has become an increasingly critical area of concern for the hacker and security community, as well as the United States more broadly.“DARPA focuses on creating technologies to enhance national defense, and election system security falls within that remit. Eroding trust in the election process is a threat to the very fabric of our democracy,” noted Salmon.
DARPA Is Building a $10 Million, Open Source, Secure Voting System
The system will use fully open source voting software, instead of the closed, proprietary software currently used in the vast majority of voting machines, which no one outside of voting machine testing labs can examine. More importantly, it will be built on secure open source hardware, made from special secure designs and techniques developed over the last year as part of a special program at DARPA. The voting system will also be designed to create fully verifiable and transparent results so that voters don’t have to blindly trust that the machines and election officials delivered correct results.
Many of today’s hardware defenses cover very specific instances or vulnerabilities, leaving much open to attack or compromise. Instead of tackling individual instances, SSITH researchers are building defenses that address classes of vulnerabilities. In particular, SSITH is tackling seven vulnerabilities classes identified by the NIST Common Weakness Enumeration Specification (CWE), which span exploitation of permissions and privilege in the system architectures, memory errors, information leakage, and code injection.
A few years ago, DARPA created its System Security Integration Through Hardware and Firmware (SSITH) program to break the cycle of vulnerability exploitation. The goal of SSITH is to develop new hardware security architectures and associated design tools that provide security against hardware vulnerabilities that are exploited through software.
“There are a whole set of cyber vulnerabilities that happen in electronic systems that are at their core due to hardware vulnerabilities – or vulnerabilities that hardware could block,” said Dr. Linton Salmon, the program manager leading SSITH. “Current efforts to provide electronic security largely rely on robust software development and integration, utilizing an endless cycle of developing and deploying patches to the software firewall without addressing the underlying hardware vulnerability. The basic concept around SSITH is to make hardware a more significant participant in cybersecurity, rather than relegating system security only to software.”
Under the SSITH program, researchers are exploring a number of different design approaches that go well beyond patching. These include using metadata tagging to detect unauthorized system access; employing formal methods to reason about integrated circuit systems and guarantee the accuracy of security characteristics; and combining hardware performance counters (HPCs) with machine learning to detect attacks and establish protective fences within the hardware. One team from the University of Michigan is developing a novel security approach that changes the unspecified semantics of a system every 50 milliseconds. Currently, attackers continuously probe a system to locate these undefined sections and, over time, are able to create a system map to identify possible hacks. By changing the construct every 50 milliseconds, attackers do not have enough time to find those weaknesses or develop an accurate representation of the system as a whole.
RISC-V Foundation member Galois is one of the companies participating in the SSITH program, developing tools and techniques for quantitatively measuring and reasoning for system security, particularly for hardware. As part of this program, Galois is working to develop baseline processors from which security improvements will be measured, port and support baseline operating systems and compilers for those CPUs and develop a demonstration application for secure hardware.
The voting system will be built on open source RISC-V CPUs and will incorporate auditable software components, enabling the public to review both the software and the hardware since the RISC-V ISA is public and standardized. The purpose of this system is to spur continued research and innovation to develop more secure hardware and software solutions for the benefit of everyone.
Hacker Community to Take on DARPA Hardware Defenses at DEF CON 2019
To evaluate the hardware security concepts in development on the SSITH program, DARPA – working with Galois – is pursuing a voting system evaluation effort to provide a demonstration system that facilitates open challenges. The program elected to use a voting system as its demonstration platform to provide researchers with an accessible application that can be evaluated in an open forum.
While protecting democracy is a critical national defense issue, SSITH is not trying to solve all issues with election system security nor is it working to provide a specific solution to use during elections. “We expect the voting booth demonstrator to provide tools, concepts, and ideas that the election enterprise can use to increase security, however, our true aim is to improve security for all electronic systems. This includes election equipment, but also defense systems, commercial devices, and beyond,” said Salmon.
During DEF CON 2019, the SSITH voting system demonstrator will consist of a set of RISC-V processors that the research teams will modify to include their SSITH security features. These processors will be mounted on field programmable gate arrays (FPGAs) and incorporated into a secure ballot box. Hackers will have access to the system via an Ethernet port as well as a USB port, through which they can load software or other attacks to challenge the SSITH hardware. Since SSITH’s research is still in the early stages, only two prototype versions of the 15 processors in development will be available for evaluation.
“At this year’s Voting Village, hackers may find issues with the processors and quite frankly we would consider that a success. We want to be transparent about the technologies we are creating and find any problems in these venues before the technology is placed in another venue where a compromise could be more dangerous,” said Salmon.
Following DEF CON 2019, the voting system evaluation effort will go on a university roadshow where additional cybersecurity experts will have an opportunity to further analyze and hack the technology. In 2020, DARPA plans to return to DEF CON with an entire voting system, which will incorporate fixes to the issues discovered during the previous year’s evaluation efforts. The 2020 demonstrator will use the STAR-Vote system architecture, which is a documented, open source architecture that includes a system of microprocessors for the voting booth, ballot box, and other components. It also includes a verifiable paper ballot, providing both digital and physical representations of the votes cast within the booth.
“While the 2020 demonstrator will provide a better representation of the full attack surface, the exercise will not result in a deployable voting system. To aid in the advancement of secure election equipment as well as electronic systems more broadly, the hardware design approaches and techniques developed during the SSITH program will be made available to the community as open-source items,” concluded Salmon.
References and Resources also include: